Your message dated Thu, 06 Feb 2025 11:20:07 +0000
with message-id <e1tfzvt-00bu0e...@fasolo.debian.org>
and subject line Bug#1085298: fixed in node-elliptic 6.6.1+dfsg-1
has caused the Debian Bug report #1085298,
regarding node-elliptic: CVE-2024-48948
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1085298: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085298
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: node-elliptic
X-Debbugs-CC: t...@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for node-elliptic.
CVE-2024-48948[0]:
| The Elliptic package 6.5.7 for Node.js, in its for ECDSA
| implementation, does not correctly verify valid signatures if the
| hash contains at least four leading 0 bytes and when the order of
| the elliptic curve's base point is smaller than the hash, because of
| an _truncateToN anomaly. This leads to valid signatures being
| rejected. Legitimate transactions or communications may be
| incorrectly flagged as invalid.
https://github.com/indutny/elliptic/issues/321
https://github.com/indutny/elliptic/pull/322
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2024-48948
https://www.cve.org/CVERecord?id=CVE-2024-48948
Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
Source: node-elliptic
Source-Version: 6.6.1+dfsg-1
Done: Jérémy Lal <kapo...@melix.org>
We believe that the bug you reported is fixed in the latest version of
node-elliptic, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1085...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jérémy Lal <kapo...@melix.org> (supplier of updated node-elliptic package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 06 Feb 2025 11:43:12 +0100
Source: node-elliptic
Architecture: source
Version: 6.6.1+dfsg-1
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<pkg-javascript-de...@lists.alioth.debian.org>
Changed-By: Jérémy Lal <kapo...@melix.org>
Closes: 1085298
Changes:
node-elliptic (6.6.1+dfsg-1) unstable; urgency=medium
.
* Team upload
* New upstream version 6.6.1+dfsg
* CVE-2024-48948: ECDSA signatures validation not correctly verified.
Closes: #1085298.
* Longer timeouts for tests.
Checksums-Sha1:
41594ae7724556f269e21a5ed1f39ad49602102c 2354 node-elliptic_6.6.1+dfsg-1.dsc
ef534c387fbb00b25cd5281bf684fbdf727f6d08 857648
node-elliptic_6.6.1+dfsg.orig.tar.xz
17840033dc41ec03ae6def478d236c9285060e12 4344
node-elliptic_6.6.1+dfsg-1.debian.tar.xz
a7e33c72913939fe4fea82973866a32984b8de4f 16257
node-elliptic_6.6.1+dfsg-1_source.buildinfo
Checksums-Sha256:
f64ecb45e227abd96b6240b77596013f9a198ac77f16cae2601bcd24550065e6 2354
node-elliptic_6.6.1+dfsg-1.dsc
16ef544eaf9e76cebfe69f734b13030e34c9cc79ebeff60b254fe1d8612d2f79 857648
node-elliptic_6.6.1+dfsg.orig.tar.xz
9a3a94154e1a87ff9eef03371111e876991ac0c48c882b5c5dd04a328ae8e714 4344
node-elliptic_6.6.1+dfsg-1.debian.tar.xz
f0fc060273bd14d5ab5aae567b870c5209546f34cb4e840be6fb014e058e28e7 16257
node-elliptic_6.6.1+dfsg-1_source.buildinfo
Files:
f60e49aa4a0ffaa9b652bdfacbb12bfe 2354 javascript optional
node-elliptic_6.6.1+dfsg-1.dsc
2b102dba54f39b7f3e9dfb103072b129 857648 javascript optional
node-elliptic_6.6.1+dfsg.orig.tar.xz
3c5af6afaf4d8ffc4a66b3e27c7e234e 4344 javascript optional
node-elliptic_6.6.1+dfsg-1.debian.tar.xz
3712e1b6ce3c925df1098ba015bcd9d4 16257 javascript optional
node-elliptic_6.6.1+dfsg-1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJGBAEBCAAwFiEEA8Tnq7iA9SQwbkgVZhHAXt0583QFAmeklRcSHGthcG91ZXJA
bWVsaXgub3JnAAoJEGYRwF7dOfN0shoQAITjdufG5AYFKtaVSSoBhJjM7ln0KQPO
l0mhXvDrgShlAzqRifrgSc4dSmJTVs4H7gjEYlFOT1QI6PcXsy1HifvPrWnO2lFV
8nX/L7s+A5YFPieaphNKZLIOz2yletnHoGaD9tyT/3Odm9O5sySDFxyZeI6YMUZH
pZsoRSwMU0FWv+vhs27CuNOB+HCgP4aNSFr/Z9NeeQaBzzfCG7wEikIRZtAO4Q8I
DM7Cwf2UoJ5oyIsmqpCiQbXCGa5tgO/a3dVRKliu6EmfpUs3SUOSzmnC51FLvHmX
PF5bwo1WQw6xk/VGr9g1LV6nh5Xct46rPVQcO0Ymb3mM5jpAPmZxHebAVlUHxU2u
oONFa6f2oaCcWdHqCENmzcwCuxZHl5yoyHcCiNmN3Y2aqSD3hanndl6u5WJFLul/
YGiYj6ndS4VcSw6y6RnvwEM/v9yPZsB0yeJLCVrg5jRCsR3awUZtmXkFkeX6GtBd
KXBCXG6eya0ti3M+M5qZIYO+Vf0HEz9f+FBHrP7us68ZE6sis83VcBFdkfTb3gCA
gLUoPqKage2yGJe9XsFuXKa6d8yKKn2+fgItgCVn4MVsDdlnSt1R8+igjjn9mE/M
wQ3OTv4JmXZfDDdZgmaefUyvteWr1KfuGpeT0D0IIqcmn2Msy8hZjZdZCQgN2MYn
rQljyDfqmDOT
=Fyhs
-----END PGP SIGNATURE-----
pgp1H6YXlBzUd.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
Pkg-javascript-devel@alioth-lists.debian.net
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
